Fix direct HTTP status sanitizer fallback

This commit is contained in:
Udo 2026-05-21 10:19:43 +00:00
parent 41e9ca219f
commit 8b37e7ea1e
2 changed files with 8 additions and 3 deletions

View File

@ -291,9 +291,11 @@ bool http_set_cookie_header_valid(String header)
String http_status_line_clean(String status_line)
{
if(status_line.find('\r') != String::npos || status_line.find('\n') != String::npos)
return("Status: 500 Internal Server Error");
return(status_line);
if(status_line.find('\r') == String::npos && status_line.find('\n') == String::npos)
return(status_line);
if(str_starts_with(status_line, "HTTP/"))
return("HTTP/1.1 500 Internal Server Error");
return("Status: 500 Internal Server Error");
}
namespace {

View File

@ -58,6 +58,9 @@ def register(registry):
location = response.headers.get("Location", "")
if "\r" in location or "\n" in location:
raise TestFailure("Location header contains raw CR/LF")
status, direct_headers, direct_body = _direct_http_request("/site/tests/security_headers.uce")
if status >= 500 and "security header sanitizer test" not in direct_body:
raise TestFailure("direct HTTP sanitizer test did not render successfully; status=%s" % status)
return "CRLF response header injection was sanitized"
def unknown_session_id_is_not_adopted(context):